wordpress
Unpatched critical flaws impact Fancy Product Designer WordPress plugin
Premium WordPress plugin Fancy Product Designer from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version. With more than 20,000 sales, the plugin allows customization of product designs (e.g. clothing, mugs, phone cases) on WooCommerce sites by changing colors, transforming text, or modifying the size. While examining the […]
Premium WPLMS WordPress plugins address seven critical flaws
Two WordPress plugins required by the premium WordPress WPLMS theme, which has over 28,000 sales, are vulnerable to more than a dozen critical severity vulnerabilities. The bugs could enable a remote, unauthenticated attacker to upload arbitrary files to the server, execute code, escalate privileges to administrator level, and perform SQL injections. The WPLMS theme is a learning management […]
390,000 WordPress accounts stolen from hackers in supply chain attack
A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker. Researchers at Datadog Security Labs, who spotted the attacks, say that SSH private keys and AWS access keys were also stolen from the compromised systems of hundreds of […]
Hunk Companion WordPress plugin exploited to install vulnerable plugins
Hackers are exploiting a critical vulnerability in the “Hunk Companion” plugin to install and activate other plugins with exploitable flaws directly from the WordPress.org repository. By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) […]
Hunk Companion WordPress plugin exploited to install vulnerable plugins
Hackers are exploiting a critical vulnerability in the “Hunk Companion” plugin to install and activate other plugins with exploitable flaws directly from the WordPress.org repository. By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) […]
WPForms bug allows Stripe refunds on millions of WordPress sites
A vulnerability in WPForms, a WordPress plugin used in over 6 million websites, could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions. Tracked under CVE-2024-11205, the flaw was categorized as a high-severity problem due to the authentication prerequisite. However, given that membership systems are available on most sites, exploitation may be fairly […]
Security plugin flaw in millions of WordPress sites gives admin access
A critical authentication bypass vulnerability has been discovered impacting the WordPress plugin ‘Really Simple Security’ (formerly ‘Really Simple SSL’), including both free and Pro versions. Really Simple Security is a security plugin for the WordPress platform, offering SSL configuration, login protection, a two-factor authentication layer, and real-time vulnerability detection. Its free version alone is used in […]
LiteSpeed Cache WordPress plugin bug lets hackers get admin access
The free version of the popular WordPress plugin LiteSpeed Cache has fixed a dangerous privilege elevation flaw on its latest release that could allow unauthenticated site visitors to gain admin rights. LiteSpeed Cache is a caching plugin used by over six million WordPress sites, helping to speed up and improve user browsing experience. The newly discovered high-severity flaw […]
Over 6,000 WordPress hacked to install plugins pushing infostealers
WordPress sites are being hacked to install malicious plugins that display fake software updates and errors to push information-stealing malware. Over the past couple of years, information-stealing malware has become a scourge to security defenders worldwide as stolen credentials are used to breach networks and steal data. Since 2023, a malicious campaign called ClearFake has […]
Automattic blocks WP Engine’s access to WordPress resources
WordPress.org has banned WP Engine from accessing its resources and stopped delivering plugin updates to websites hosted on the platform, urging impacted users to choose other hosting providers. The open-source project claims that the move comes in response to WP Engine’s alteration of a WordPress core feature for its own profit and its blocking of […]